OpenSSH ignores "AllowTcpForwarding no" in sshd_config

Question

On ubuntu 16.04.3 / OpenSSH_7.2p2 disabling Tunneling globally by setting these values in /etc/ssh/sshd_config has no effect and Dynamic / Local tunnels still work

AllowAgentForwarding no
AllowTcpForwarding no
AllowStreamLocalForwarding no
PermitOpen none
PermitTunnel no
X11Forwarding no

Update: I can only make it work by using "Match" on selected User(s)

Match User zuser
  AllowTcpForwarding no
  X11Forwarding no
  AllowAgentForwarding no
  AllowStreamLocalForwarding no
  PermitOpen none
  PermitTunnel no

I just tested on a VM with ubuntu 16.04.3 / OpenSSH_7.2p2 and it's the same behavior can anyone test on ubuntu server 16.04 with latest updates I'm starting to believe it's a bug — user3759159, Nov 21 '17 at 19:18

score 5 · Answer 1 · answered Jan 27 '19 at 20:36

OpenSSH will unexpectedly apply settings when using Match and not apply settings when not using Match if at some earlier position in the configuration there is another Match block.

The following example demonstrates this:

Match Group sudo
  # this is applied to sudo members
  ClientAliveInterval 20
  # this is applied to sudo members
  AllowTcpForwarding yes

# one might assume that the Match block has ended here - it did not
# the following is ALSO applied to sudo members only
X11Forwarding
AllowTcpForwarding no

Though most configuration is using indentation for better readability, a Match does not end when indentation ends.

If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file

OpenSSH will only notice unintended configuration changes from inappropriate Match insertion if one of those options is not valid in that context. Otherwise, following instructions are simply becoming dependent on that Match condition.

The unexpected configuration can be resolved by inserting all Match blocks strictly at the very end of the configuration file - and placing all unconditional configuration strictly above the first Match line.

score 3 · Answer 2 · answered Nov 22 '17 at 16:25

3

This seems to work fine for me in a Vagrant box (openssh-server 1:7.2p2-4ubuntu2.2)

AllowTcpForwarding no

/var/log/auth.log:

Nov 22 16:19:41 packer-qemu sshd[1164]: refused local port forward: originator 127.0.0.1 port 44540, target localhost port 22 Nov 22 16:19:46 packer-qemu sshd[1164]: refused local port forward: originator 127.0.0.1 port 44546, target localhost port 22

Are you sure you don't have something else in your configuration file which overrides your setting somehow? (Like a match statement)

answered Nov 22 '17 at 16:25

Nils

301
1
3

dont you mean "AllowTcpForwarding yes"? – FuzzyAmi Feb 05 '18 at 09:39
No, OP asked a question about "AllowTcpForwarding no", so that's what I tried to reproduce. The log shows that the setting works as expected. – Nils Feb 06 '18 at 12:07

OpenSSH ignores "AllowTcpForwarding no" in sshd_config

2 Answers2